Zenity Reveals Zero-Click AI Exploits Targeting Copilot, Gemini, ChatGPT

At the Black Hat USA 2025 conference, researchers from Israeli firm Zenity revealed a new class of zero-click and one-click prompt injection attacks dubbed AgentFlayer, which target popular enterprise AI platforms such as ChatGPT, Microsoft Copilot, Google Gemini, Salesforce Einstein, and Cursor with Jira MCP. These attacks exploit the autonomous nature of AI agents by embedding malicious instructions in seemingly innocuous files or data sources, causing the AI to leak sensitive corporate or personal information without any user interaction. For example, attackers could craft a document with hidden prompts that instruct ChatGPT to exfiltrate API keys from connected services like Google Drive, or manipulate Salesforce Einstein to redirect customer emails to attacker-controlled domains. Zenity’s demonstrations highlight how these vulnerabilities turn AI agents' proactive data fetching into a critical security risk, rendering traditional user-verification defenses ineffective. Salesforce has already patched the identified vulnerability in Einstein, but the broader issue persists as AI agent adoption grows and prompt injection techniques evolve. The research underscores an urgent need for improved AI security measures, as even AI developers like OpenAI caution against trusting new ChatGPT agents with sensitive data.